Secret CSO: Steve McGee, Censinet

Censinet's Chief Information Security Officer Steve McGee talks about current trends in healthcare cybersecurity, risk management and more.

Ed Gaudet | January 17, 2020

 Secret CSO: Steve McGee, Censinet

Name: Steve McGee

Organisation: Censinet

Job title: Chief Information Security Officer

Date started current role: September, 2019

Location: Boston

Steve McGee currently serves as Chief Information Security Officer at Censinet and has more than 25 years of experience in technical and operational security leadership roles in healthcare IT. From 2010 – 2016, McGee led the Information Security team at Curaspan (now naviHealth, a Cardinal Health Company) where he led the ISO 27002-compliant InfoSec program and created a culture of security. He has served various operational IT and InfoSec roles at PHT Corporation (now ERT), Ingenix (now Optum) and Draper Laboratory.

What was your first job? For my first job I delivered newspapers in my neighborhood. It taught me valuable lessons in customer satisfaction, money and time management, all of which I still utilize today.

How did you get involved in cybersecurity? Early on in my professional career, the Internet started becoming this amazing tool for businesses to leverage. However, along with all of the positive aspects of the Internet, I also learned that it could be used for nefarious purposes. The company that I worked for at the time had metrics on how quickly attempts of these activities were scaling up against our organisation and it really opened my mind to the dynamics of the problem, better ways to play defense and how to lobby for compensating controls to address it. I still remember it being like a digital game of cops and robbers.

What was your education? Do you hold any certifications? What are they? I have a Bachelors of Science in Engineering Technology with a focus on Computer Technology. I plan to update my GIAC Security Leadership Certification (GSLC) certification in the coming months.

Explain your career path. Did you take any detours? If so, discuss. My undergraduate studies were coupled with practical experience and learning in a co-op program. I started programming with ‘old school’ languages (Pascal, Fortran, Assembly), but then the Internet started becoming more important. This created opportunity to direct my career towards learning and applying computer networking principles and TCP/IP to LAN, WAN and site-to-site VPNs, and it just went from there.

Was there anyone who has inspired or mentored you in your career? University professors inspired me with the application of the practical side of computer engineering (programming projects, building ALUs and some early VLSI fun) rather than just the theoretical side of electrical and computer engineering. I was very inquisitive about networks, topologies, etc. and was fortunate to work with a myriad of senior staff mentors that took time to explain concepts and how they were being applied, which was a great source of inspiration.

What do you feel is the most important aspect of your job? Always thinking about the right balance. For example, when to use compensating controls while limiting the hurdles to workflows; allowing flexibility in InfoSec-related policies and procedures that we adopt and having faith that people will do the right thing. And, when they don’t, leveraging those instances as teaching moments and opportunities that help reinforce my responsibilities as an InfoSec leader.

What metrics or KPIs do you use to measure security effectiveness? Seeing the trends of both soft and hard numbers – those that show effectiveness of a firewall, SIEM and the breakdown of security related issues we’re addressing in our products and services. The soft numbers are the stories brought to my attention that indicate core and reinforced security awareness training is having an impact or needs adjusting to keep up with new threats.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? From my perspective at a small company, the shortage is not affecting the organization yet, but I’m certain that won’t always be the case. While I agree there is a security skills shortage across most industries – you have to do more with less; you have to at least be aware of what AI/ML can help you do, or do more of and you have to automate when you can and teach as much as you can. To address skills gaps, you need to hire the right vendors and contractors that have the experience and skills you need and who deliver results.

Cybersecurity is constantly changing – how do you keep learning? I’m in constant ‘sharpen the saw’ mode: reading cybersecurity articles, whitepapers and listening to podcasts, attending webinars, going to industry conferences and exchanging experiences with other cybersecurity professionals. Teams can learn a lot through planning and conducting exercises—incident response, disaster recovery, even something as fundamental as backup and restore exercises to see how you would do given a ransomware scenario. There will always be fundamental principles, but cyber skills constantly require tuning and adjustment to address new risks, new technologies and new concepts.

What conferences are on your must-attend list? Cyber Defense Initiative and SANS-sponsored training conferences, plus several healthcare-related conferences and forums like HIMSS and CHIME.

What is the best current trend in cybersecurity? The worst? Best: How to best make use of AI and ML to help with automation, analytics and recognising IoCs quicker and responding faster. I also love the various information sharing organizations for the health industry that fit your type and size of organisation (HIC-MISO). 

Worst: proliferation of devices (IoT and medical devices) and rogue procurement. You can’t protect what you don’t know that you have, which is a real asset and risk management problem.

What’s the best career advice you ever received? Read and learn as much as you can as often as you can. Things change so quickly that if you don’t keep up with the changes you’ll be left in the dust.

What advice would you give to aspiring security leaders? Do all you can to understand and address where and how security fits into the mission, goals and priorities of your organization. Additionally, attend conferences to share experiences, war stories, etc. and learn how those other aspiring leaders are addressing their organizations’ mission and goals that are different from yours.

What has been your greatest career achievement? Working with a limited budget and driving an information security program towards compliance with ISO 27002. That’s a bear of an infosec framework for a small organization and to achieve that took time, patience and a lot of management and organizational support.

Looking back with 20:20 hindsight, what would you have done differently? Force myself to take the time to network more with peers and get in a rhythm of sharing experiences with other peer professionals. We’re so busy minding the store, we can easily forget to learn from and connect with others.

What is your favourite quote? “Those who cannot remember the past are condemned to repeat it.” – George Santayana.

What are you reading now? The Do No Harm 2.0 report and a very interesting research article from Health Research and Educational Trust about how data breach remediation efforts can potentially have negative implications to hospital care delivery.

In my spare time, I like to… …get outdoors and get into nature – walk the woods, hike the hills and stroll the beach.

Most people don’t know that I… …love being at the grill or just cooking in general.

Ask me to do anything but… …eat anything with eggplant.

This article was originally published on IDG Connect

Join Mailing List

To learn more about Censinet, please join our mailing list. We'll send you periodic updates about our company, products, customers, innovations and more!

Overthrow the third-party vendor risk management status quo in healthcare.